Ansible ins Repo migrieren und zentrale SSH-Keys in shared/ssh.

Playbooks liegen unter pve1/ansible und pve2/ansible; authorized_keys
als Fragmente mit Deploy-Skript und Ziel-Matrix für Proxmox, VM 101 und CTs.

Co-authored-by: Cursor <cursoragent@cursor.com>

shared/ssh/install-authorized-keys.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+# authorized_keys aus docu/shared/ssh deployen
+set -euo pipefail
+
+DOCU_ROOT="${DOCU_ROOT:-/root/docu}"
+SSH_DIR="$DOCU_ROOT/shared/ssh"
+DRY_RUN=0
+TARGET=""
+DEST=""
+REMOTE=""
+CT_IDS=()
+
+usage() {
+  cat <<'EOF'
+Usage: install-authorized-keys.sh [options] <target>
+
+Targets:
+  proxmox-root    → /root/.ssh/authorized_keys auf Proxmox-Hosts
+  vm101-jean      → jean@192.168.10.10 ~/.ssh/authorized_keys
+  pve2-lxc-root   → root in CTs auf pve2 (101 docker, 109 media, 110 aidev)
+
+Options:
+  --dest PATH         Lokale Zieldatei (nur proxmox-root, default: /root/.ssh/authorized_keys)
+  --remote USER@HOST  Auf Remote-Host installieren (proxmox-root / vm101-jean)
+  --ct VMID           Nur einen CT (pve2-lxc-root, mehrfach möglich)
+  --dry-run           Nur anzeigen, nicht schreiben
+  -h                  Hilfe
+
+Beispiele:
+  ./install-authorized-keys.sh proxmox-root
+  ./install-authorized-keys.sh --remote root@192.168.10.5 proxmox-root
+  ./install-authorized-keys.sh vm101-jean
+  ./install-authorized-keys.sh pve2-lxc-root --ct 101
+EOF
+}
+
+log() { printf '%s\n' "$*"; }
+
+run() {
+  if (( DRY_RUN )); then
+    log "[dry-run] $*"
+  else
+    "$@"
+  fi
+}
+
+install_local_file() {
+  local src="$1" dest="$2"
+  run mkdir -p "$(dirname "$dest")"
+  run chmod 700 "$(dirname "$dest")"
+  if (( DRY_RUN )); then
+    log "[dry-run] cp $src → $dest"
+    head -3 "$src"
+    log "… ($(wc -l <"$src") Zeilen)"
+  else
+    install -m 600 -o root -g root "$src" "$dest"
+    log "Installiert: $dest ($(wc -l <"$dest") Keys)"
+  fi
+}
+
+install_remote() {
+  local src="$1" remote="$2" dest="$3"
+  if (( DRY_RUN )); then
+    log "[dry-run] ssh $remote install -m 600 … ← $src"
+    return
+  fi
+  ssh "$remote" "mkdir -p $(dirname "$dest") && chmod 700 $(dirname "$dest")"
+  scp -q "$src" "$remote:/tmp/authorized_keys.new"
+  ssh "$remote" "install -m 600 -o \$(id -un) -g \$(id -gn) /tmp/authorized_keys.new '$dest' && rm -f /tmp/authorized_keys.new"
+  log "Installiert auf $remote:$dest"
+}
+
+install_pve2_ct() {
+  local src="$1" vmid="$2"
+  if (( DRY_RUN )); then
+    log "[dry-run] pct exec $vmid → /root/.ssh/authorized_keys"
+    return
+  fi
+  pct exec "$vmid" -- mkdir -p /root/.ssh
+  pct exec "$vmid" -- chmod 700 /root/.ssh
+  pct push "$vmid" "$src" /root/.ssh/authorized_keys
+  pct exec "$vmid" -- chmod 600 /root/.ssh/authorized_keys
+  log "CT $vmid: /root/.ssh/authorized_keys ($(wc -l <"$src") Keys)"
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --dest) DEST="$2"; shift 2 ;;
+    --remote) REMOTE="$2"; shift 2 ;;
+    --ct) CT_IDS+=("$2"); shift 2 ;;
+    --dry-run) DRY_RUN=1; shift ;;
+    -h|--help) usage; exit 0 ;;
+    -*) echo "Unbekannte Option: $1" >&2; usage >&2; exit 1 ;;
+    *) TARGET="$1"; shift ;;
+  esac
+done
+
+[[ -n "$TARGET" ]] || { usage >&2; exit 1; }
+[[ -d "$SSH_DIR/assembled" ]] || { echo "Fehlt: $SSH_DIR (git pull?)" >&2; exit 1; }
+
+case "$TARGET" in
+  proxmox-root)
+    SRC="$SSH_DIR/assembled/proxmox-root.pub"
+    DEST="${DEST:-/root/.ssh/authorized_keys}"
+    if [[ -n "$REMOTE" ]]; then
+      install_remote "$SRC" "$REMOTE" "$DEST"
+    else
+      install_local_file "$SRC" "$DEST"
+    fi
+    ;;
+  vm101-jean)
+    SRC="$SSH_DIR/assembled/vm101-jean.pub"
+    DEST="${DEST:-/home/jean/.ssh/authorized_keys}"
+    REMOTE="${REMOTE:-jean@192.168.10.10}"
+    install_remote "$SRC" "$REMOTE" "$DEST"
+    ;;
+  pve2-lxc-root)
+    SRC="$SSH_DIR/assembled/pve2-lxc-root.pub"
+    if [[ ${#CT_IDS[@]} -eq 0 ]]; then
+      CT_IDS=(101 109 110)
+    fi
+    for vmid in "${CT_IDS[@]}"; do
+      install_pve2_ct "$SRC" "$vmid"
+    done
+    ;;
+  *)
+    echo "Unbekanntes Target: $TARGET" >&2
+    usage >&2
+    exit 1
+    ;;
+esac